General Data Protection Regulation (GDPR) will be officially implemented on May 25 this year. It may be extended to be applicable to enterprises or organizations outside the territory of EU, security requirements for data protection and design were made more stringent and huge penalties were set. Although most enterprises in Taiwan spent a great number of human resources and physical resources on the development of detailed regulations on personal data maintenance and management and establishment of processes for personal data control and management before Taiwan Law on Personal Data Protection is officially implemented on October 1, 2014, preparations made by these enterprises to cope with such law may be insufficient and they must keep cautious if it can be determined these enterprises are within the scope of application of GDPR.
GDPR is extended to be applicable to enterprises outside the territory of EU
It is laid down in GDPR that GDPR is applicable to collection, processing and utilization of personal data which is performed by an enterprise or organization set up in the territory of EU and if party involved in the collection, processing and utilization of personal data includes a natural person in the territory of EU GDPR is applicable to such party even if such party does not set up an organization within the territory of EU.
Personal data must not be collected, processed and utilized without explicit consent from the party involved
The data controller should follow the transparency principle and the principle that minimum data should be collected when collecting, processing and utilized personal data. In GDPR, the scope of personal data is expanded to the IP addresses, Cookies, GPS, etc. of the party involved of personal data. If a letter of consent is prepared in advance, the information of the party involved of personal data on the risk, specifications, protective measures, contact and relevant rights for the collection, processing and utilization of personal data should be provided in a clear, explicit and lucid manner. Wordings full of legal terms and which are hard to understand must not be used. Such letter must be differentiated from other matters so as to enable the party involved of personal data to more understand relevant information and obtain the consent. Relevant rules must be made clear on the collection, processing and utilization of such special personal data as on race, politics, religion, gene, criminal records and so on. Keeping silence, pre-option as consensus or no comment by the party involved must not constitute the consent. Additionally, in GDPR great importance is attached to the right of the party involved to cancel the consent. If the party involved of personal data requires the consent to be canceled, such cancellation should be as easy as its consent of providing personal data. If the data controller provides the letter of consent for cancelling the use of personal data, wordings in such letter must be clear and easy to understand. In addition, if the party involved is younger than 16, consent from his or her parents or guardians must be obtained to strengthen the protection of children.
New rules in GDPR set restrictions on processing and analysis of personal data
- In GDPR, the right to be forgotten and the right to be able to
carry data are added for the party involved of personal data
- The right to be forgotten
Some years ago, European courts laid down through judgment that the person involved had the right to require the search engine company to delete the information from search results if the person involved considered the information in the search results obtained through the search engine as “insufficient, irrelevant or outdated”. This indicates that European courts established the individual’s right to be forgotten very early. The right to be forgotten is not more explicitly specified until GDPR is formulated. If the purpose of collecting or processing personal data does not exist or the person involved in personal data objects against the processing of his or her personal data or the person involved in personal data withdraws his or her consent or personal data is illegally processed, the person involved in personal data should have the right to require the data controller to delete his or her personal data. If it is found that data retained by the data controller is incomplete or incorrect, the person involved in personal data also has the right to require the data controller to make corrections or supplementations.
- The right to move personal data
The right to move personal data refers to the right of the person involved in personal data to freely carry personal data among different service providers. For example, the person involved in personal data can move his or her personal data from a certain Internet service provider to another Internet service provider. It is laid down in GDPR that the person involved in personal data should receive the data copy that was originally provided by the person involved in person data to the data controller in the structural, commonly used and machine readable manner and should have the right to directly transmit the same to other data controllers for the purpose of strengthening the control of personal data by the person involved in personal data. However, more specific and detailed measures should be based on regulations as set out by each EU country to cope with GDPR.
- The right to be forgotten
- GDPR strengthens the involved person’s right of access to the
media, right of objection and right of restriction
- Right of access to the media
To inform and confirm the legality of processing of personal data by the data controller, GDPR entitles the person involved in personal data to the right of access to collected personal data and enables the person involved in personal data to easily exercise the right of access to the media within a reasonable time interval.
- Right of objection and right of restriction
GDPR lays down that the person involved in personal data has the right to raise an objection or restriction against the processing of his or her personal data and the data controller should not process such personal data when receiving such person’s objection. If the person involved in personal data makes a request of restriction of the processing to the data controller, the data controller should process such personal data within the scope of restriction unless the data controller can demonstrate that such processing is based on legal basis which is superior to the right and freedom of the person involved in personal data or such processing is requested based on the establishment, exercising or defense of the right.
- Right of access to the media
- Restriction of right of automated interpretation
If the data controller interprets such data as an individual’s work performance, economic status, health, personal preference or interest, confidence or behaviour, location or trend in an automated manner and such interpretation causes a legal effect or similar significant influence to that individual, it is laid down in GDPR that the individual should have the right not to be bound on by such interpretation and should have the right to object against such interpretation.
What precautions should be taken for GDPR?
- Implementation of data protection impact assessments
GDPR requires that the data controller must perform data protection impact assessments (DPIA) to measure which risks exist and the nature, specialty and severity of the processing and to manage and cope with such risks. Actually, many enterprises in Taiwan are required to perform privacy impact assessments (PIA) after Personal Data Protection Act of Taiwan is implemented. PIA is greatly similar to DIPA and Personal Data Protection Act of Taiwan does not explicitly define PIA, however, DPIA is laid down in detail in GDPR.
- Timely notification in case of personal data leakage
Once personal data leakage occurs, both the personal data controller and personal data processing entity must notify the supervision authority within 72 hours after they are informed of such leakage. If such personal data cause a material harm to the person involved in personal data, the person involved in such personal data should be promptly notified of such leakage although the time limit within which the person involved is notified is not laid down in GDPR.
- Appointment of data protection officer
To ensure that the personal data controller or personal data processing entity effectively complies with regulations, it is required in GDPR that a data protection officer must be appointed within the organization if an enterprise or organization consists of more than 250 employees and its core business involves processing of personal data of EU civilians. Such data protection officer must effectively perform his or her responsibilities. If the enterprise or organization violates the provisions of GDPR, the data protection officer will be investigated for relevant legal liability.
- Large amounts of administrative fines
To make the data controller attach more importance to the protection of personal data, the amount of fines is increased greatly in GDPR and different amounts of fines are imposed depending on the severity of violations. In case of a severe violation such as illegal processing of personal data and if the supervision authority is not notified within 72 hours after the personal data leakage occurs and personal data are illegally transmitted internationally, a maximum of fine of Euro 20000000 or 4% of global turnover of the data controller will be imposed, whichever should be higher.
Official implementation of GDPR makes it possible to include enterprises or organizations outside the territory of EU in the scope of application. With a global target market, enterprises in Taiwan should confirm as soon as possible whether they are in the scope of application of GDPR in addition to complying with Personal Data Protection Act of Taiwan and develop countermeasures for GDPR in an accelerated manner to avoid being imposed with huge amounts of fines.